Mozilla Closes Critical Security Vulnerabilities in Firefox 150.0.1

Mozilla released the update to Firefox 150.0.1 on April 30, 2026, which addresses several vulnerabilities classified as critical. This update is available for the operating systems Windows, macOS, and Linux. The security report MFSA2026-35 lists four closed security vulnerabilities, one of which, CVE-2026-7320, stems from a weakness discovered by an external security researcher. The CVE-2026-7320 vulnerability concerns a data leak in the audio-video component of Firefox and is classified by Mozilla as high risk.

The other three entries in the security report are internally discovered vulnerabilities summarized under the CVE numbers CVE-2026-7322, CVE-2026-7323, and CVE-2026-7324. These vulnerabilities affect all three supported Firefox generations as well as both Thunderbird generations. A particularly critical entry, CVE-2026-7322, relates to memory errors, which Mozilla classifies as critical. These errors could potentially be exploited to gain unauthorized access to systems. Mozilla has not provided further details on the exact differences between these critical vulnerabilities and those classified as high risk.

In addition to the vulnerabilities in Firefox 150.0.1, the ESR versions 140.10.1 and 115.35.1 have also been updated. These versions are specifically available for older operating systems such as Windows 7 and 8.1, as well as macOS 10.12 to 10.14. The ESR version 140.10.1 fixed another vulnerability, CVE-2026-7321, which occurs only in this generation. The ESR version 115.35.1 also includes at least two closed security vulnerabilities. These updates are part of Mozilla's ongoing efforts to ensure the security of their software and protect users from potential threats.

One week prior, Mozilla had already released Firefox 150. In three weeks, on May 19, 2026, the company plans to release Firefox 151. These regular updates are part of Mozilla's strategy to enhance the security and stability of the browser. Another aspect of Mozilla's security strategy is collaboration with Anthropic.

Since the beginning of the year, Mozilla has been using a beta version of the AI called Claude Mythos, which is capable of identifying security vulnerabilities in the source code of Firefox. According to Mozilla, Mythos has discovered over 200 security vulnerabilities in Firefox 150, which are not listed in the official security reports. Mozilla's CTO, Bobby Holley, commented on the benefits of Claude Mythos in the Mozilla Blog. He emphasized that this tool can help find vulnerabilities before they can be exploited by attackers. However, the effectiveness of this AI depends on Anthropic protecting it from unauthorized access and not making it available to everyone.

The vulnerabilities in Firefox and Thunderbird affect not only the desktop versions but also the ESR versions, which are significant for businesses and organizations. Mozilla is committed to continuously improving the security of its products and informing users about potential risks. The release of Firefox 150.0.1 and the closure of critical security vulnerabilities are part of Mozilla's comprehensive approach to enhancing cybersecurity. Users are encouraged to regularly update their software to benefit from the latest security improvements. Mozilla has emphasized in its security report that the vulnerabilities fixed in the ESR versions may also exist in older versions of Firefox and Thunderbird. However, the exact number of affected systems is not known. The CVE-2026-7322 vulnerability affects all three supported Firefox generations as well as both Thunderbird generations, underscoring the urgency of the updates.